Uploads Anti-Exploit Guard UAEG

[AITpro Admin]

@ Samm – This appears to be a completely different problem than the Font Awesome problem so I have moved this to a relevant forum topic.  Before troubleshooting anything else do these things below to see if they are causing the problems.

I see 2 things that could be a problem in general:
1. Your website is in Maintenance Mode using this plugin: Ultimate Coming Soon Page plugin.
– You may want to try taking the site out of Maintenance Mode to see if it is interfering with setting things up, etc.
2. From the Security Log entry it looks like you might be using minification or a minifying plugin.
– If you are using minification or a minifying plugin then you will not be able to use the BPS Pro Plugin Firewall and will have to deactivate it/turn it off. Or you can exclude all frontloading js scripts in your Minify plugin so that the Plugin Firewall will work correctly.

[AITpro Admin]

@ Samm – If you want me to login and figure out these issues/problems then send a WordPress Administrator login to:  info at ait-pro dot com.  The site will have be taken out of Maintenance Mode while I am troubleshooting and fixing things.

[Samm]

Thanks for the help, you pointed me in the right direction to solving this.  I had already tried disabling the maintenance mode plugin – this was my first guess as to the problem.  This was not the problem.

Since, the site is still being built, I hadn’t installed a caching plugin yet.  But after you said that, I checked the plugins and there was a cache plugin bundled with the theme that was installed.  And you are correct – it has options to minify the CSS and JS.  I deactivated both of those options and now everything looks to be working (even with maintance mode on).

Thank you for your help and your offer to log in and fix it, but it is not needed at this time.  The cache plugin was causing the problem.  Thank you for the fastest and most helpful support in WordPress.

[AITpro Admin]

@ Samm – Great!  Glad to hear that.  From personal experience messing around with minification years ago I came to these conclusions after pulling out all of my hair:  Minification should never be automated and should ONLY be done manually since the failure rate of automated minification is pretty much 100% and you are pretty much guaranteed to break something on your website.  Minification only improves “scoring” on sites that do website metric testing/scoring and that display your website metric scores and does not speed up a WordPress website at all – total waste of time.

[Samm]

That’s good information, I have had some issues with mimfication before, but I didn’t realize that it was that large of a problem.  I thought I was solving the problem by whitelisiting the .js files.

Since I personally hadn’t uploaded and configured my caching plugin (I use WP Rocket), I never even thought of this as a potential issue.  I have to pay more attention to what plugins are bundled with the theme.

[AITpro Admin]

I think automated minification is a cool idea, but the simple fact of the matter is that there are too many variables (too many differences in a huge number of total plugins out there) in that equation.  Automated minification is not a “one size fits all” kind of thing.  In BPS Pro we gave up on trying to automate custom php.ini file creation for exactly that reason – custom php.ini file creation should never be automated because it is also not a “one size fits all” kind of thing and there are too many differences between host requirements/limitations/restrictions/php handlers/methods/etc etc etc.

[guy te watson]

I have a file I need to allow to be accessable for people to download through my uploads  folder. I am reading these instructions above and its confusing has to what the exact code is to put in the Custom Codes in order to make the file access able.  It would be great to have just a field to put the files and folder in like the plugins white liest of the plugins ignore box, etc.  Can someone simplify what is above.  At one point we are told to “Copy and paste your entire Uploads .htaccess file code from the “Your Current Uploads htaccess File” tab on the htaccess File Editor page into the CUSTOM CODE UAEG text box” but then a simple explanation as to how to modify it to white list a file or folder eludes me.

Please Help
In Christ
guy te

[AITpro Admin]

What would you like to whitelist?  Either post a Security Log entry showing what is blocked and needs to be whitelisted or explain in exact specific details what you would like to whitelist.  ie folder X, file or files X, Y, Z, All files with file extension .xyz.

[guy te watson]

Particular Files free for people to download as below

/uploads/2015/03/How-to-Monitor-and-Respond-to-What-is-Said-About-Your-Business-2-.pdf
/uploads/2015/03/Local-Website-Visitors-Boost-Report-2.pdf
/uploads/2015/03/How-Online-Reviews-Can-Impact-Your-Business-2.pdf
/uploads/2015/03/PPC-Marketing-Report-Webyellowpages-2.pdf
/uploads/2015/03/SEO-Report-Webyellowpages-2.pdf
/uploads/2014/10/Triple-Your-Leads-Reports.rar

[AITpro Admin]

@ guy te watson – UAEG does not block or restrict .pdf files by default.  BPS does block .rar files by default.  So you do not to whitelist .pdf files, but do need to whitelist .rar files in the UAEG htaccess file code.  Do these steps below to whitelist all .rar file extensions so that .rar files will be accessible/downloadable in the /uploads folder.

1. Copy and paste your entire Uploads .htaccess file code from the “Your Current Uploads htaccess File” tab on the htaccess File Editor page into the CUSTOM CODE UAEG text box.
2. Edit/modify/customize your UAEG htaccess code in the CUSTOM CODE UAEG text box and delete/remove:  |rar from the
<FilesMatch line of code that lists all of the file extension types that are protected/blocked by default.
3. Click the Save UAEG Custom Code button to save your UAEG custom code.
4. Go to the Security Modes page and click the UAEG BulletProof Mode Activate button.

Note:  If PDF files are currently not accessible/viewable/downloadable then most likely the BPS UAEG htaccess file is not causing that problem. To confirm and eliminate that UAEG is causing that problem you would do BPS Pro Troubleshooting step #4:  4. On the Security Modes page, click the UAEG BulletProof Mode Deactivate button.

[AITpro Admin]

This is just an FYI and probably something that you do NOT want to do.  I am posting this as a general FYI about how to force PDF files to be downloaded instead of being opened in the Browser.  When a PDF file is opened in a Browser there is a download link to download the PDF file.  So most people prefer to allow the PDF to be opened in the Browser and then let someone choose to click the PDF download link.

To force a PDF file to be downloaded instead of being allowed to open in the Browser you would add this additional code to the UAEG htaccess file code that you copied to the CUSTOM CODE UAEG text box. This code should go after: # END WHITELIST and before: # FORBID THESE FILE EXTENSIONS FROM BEING ACCESSED OR EXECUTED REMOTELY in the UAEG htaccess file code that you copied to the CUSTOM CODE UAEG text box.

<FilesMatch "\.(pdf)$">
AddType application/octet-stream .pdf
</FilesMatch>

[guy te watson]

Okay Thanks. It is open to rar downloads now, but just pressing the “UAEG BulletProof Mode Activate” button did not work to update the file. I did that several times without effect. I had to press the “Deactivation” button then the activation button and it worked to change/update the file.

Thanks!

[AITpro Admin]

@ guy te watson – Odd. I just tested adding UAEG to Custom Code and it worked perfectly.  So not sure why you had that problem. Since you got things working then that issue does not really matter.

[Rami M]

Hi,

How can I white-list this part of Astra theme. This warning showed when I visited the post, and I have Astra theme installed.. suppose it is safe?

[403 GET Request: May 8, 2019 6:49 am]
BPS Pro: 13.9
WP: 5.2
Event Code: UAEGWR-HPRA
Solution: https://forum.ait-pro.com/forums/topic/uploads-anti-exploit-guard-uaeg-read-me-first/
REMOTE_ADDR: ...
Host Name: ...
SERVER_PROTOCOL: HTTP/1.1
HTTP_CLIENT_IP:
HTTP_FORWARDED:
HTTP_X_FORWARDED_FOR:
HTTP_X_CLUSTER_CLIENT_IP:
REQUEST_METHOD: GET
HTTP_REFERER: https://....com/2019/04/16/hello-world-2/
REQUEST_URI: /wp-content/uploads/astra-addon/astra-addon-5cd15edc0462b9-78934553.js?

[AITpro Admin]

@ Rami M – You would use the CUSTOM CODE UAEG folder whitelisting method at the beginning of this forum topic.  The /uploads/ folder that you need to whitelist is: astra-addon.

Or you can use the “Alternative Method: Whitelist all .js files by removing js from the security filter” method at the beginning of this forum topic.

If you need additional help then go to the BPS Pro menu > B-Core menu > htaccess File Editor tab page > click the Your Current Uploads htaccess file tab > copy your entire UAEG htaccess file code and paste it in your forum reply.  I will post the exact UAEG htaccess file code in my forum reply that you can then copy to the CUSTOM CODE UAEG text box.

[Author]

Posts